Monday, May 31st was Memorial Day. It’s a day of remembrance and gratitude. Here’s the text from one of my Twitter posts:
A small table set for one, symbolizing the isolation of our absent service member.
The table is round to represent the everlasting concern the survivors have for the missing.
The white tablecloth symbolizes the pure motives of our lost service members who responded to our country’s call to arms.
A single rose in the vase represents the blood our service members have shed in sacrifice to ensure the freedom of the United States of America.
The rose also represents family and friends who keep the faith while awaiting the return of the missing service members.
The red ribbon represents our service members’ love of country that inspired them to serve our country.
A slice of lemon on the bread plate represents the bitter fate of the missing.
Salt sprinkled on the bread plate represents the tears shed by waiting families.
The inverted glass represents the fact that the missing and fallen cannot partake.
A Bible represents the spiritual strength and faith to sustain the lost.
A lit candle symbolizes a light of hope that lives in hearts to illuminate the missing’s way home.
An empty chair represents the absence of our beloved missing and fallen. service members.
We are grateful for all our men and women who serve in uniform and we hold those who sacrificed all in the highest esteem.
The Show Must Go On
Visiting with our guests the past couple months has been a lot of fun and we hope it’s been educational and entertaining for our listeners. We hope listeners enjoyed listening as much as we enjoyed hosting!
This week (episode 134), Brad and I are going to take a look at some of the recent news. Lord knows, there’s plenty to cover!
Let’s get to the episode 134 show notes, shall we?
SHOW NOTES – Episode 134 – Wednesday June 2nd, 2021
[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 134, and the date is June 2nd, 2021. Joining me is my good friend, Mr. Brad Nigh. Good Morning Brad!
[Evan] Welcome back from Memorial Day weekend. It was a beautiful weekend to pay our respects.
What’s going on in the world of “cybersecurity”?
Today, we’re going to change things up a little. There’s so much going on in the world around us, I thought it would be good for us to focus on six news articles and discuss them. Here they are:
That’s a lot to unpack! Hopefully you caught all that.
Wrapping Up – Shout Outs
Who’s getting shout outs this week?
Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at firstname.lastname@example.org. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.
Hard to believe that this is episode 100 already! I’ll have to write a recap of the journey sometime soon.
Crazy things all over the place here at FRSecure and SecurityStudio. If you’ve been an information security consultant, or if you know one, you know that 4th quarter is a crazy time of year. Turns out, COVID-19 and 2020 is NOT the exception. We’re happily swamped.
Having said all that, we’re a day late getting the podcast out again this week. Not because we didn’t try, but because life and work get in the way sometimes.
Hope you’re happy and healthy! On the the show; Brad’s leading and these are Brad’s notes.
SHOW NOTES – Episode 100
Date: Wednesday October 7th, 2020
Episode 100 Topics
Catching Up (as per usual)
the social dilemma, Part Two
Wrapping Up – Shout outs
[Brad] Welcome back! This is episode 100 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is October 6th, and joining me this morning as usual is Evan Francen.
[Evan] Talks about how busy things have been
[Brad] Last week we had a really good discussion about The Social Dilemma and we didn’t get to everything so we are doing part 2 today. But before we get going let’s recap our week.
[Evan] Evan’s cool story
[Brad] A recap of my week
the social dilemma, Part Two
[Brad] Okay let’s pick up where we left off. There are no shortage of takes on the movie, here are some I found interesting.
[Brad] That’s it for episode 100. Thank you Evan, do you have any shout outs this week?
[Evan] We’ll see.
[Brad] Thank you to all our listeners! Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at email@example.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen.
Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.
That’s it! Talk to you all again next week!
https://i0.wp.com/evanfrancen.com/wp-content/uploads/2020/09/socialmediaaddiction.png?fit=269%2C187&ssl=1187269Evan Francenhttps://evanfrancen.com/wp-content/uploads/2022/09/259CD09D-F0B8-4FFC-A050-C84AD4D31150.pngEvan Francen2020-10-07 07:58:102020-10-07 07:58:10UNSECURITY Podcast – Ep 100 Show Notes – The Social Dilemma Pt2
Hope you had a fantastic Labor Day weekend! Personally, it was nice to get away with family and disconnect for a while!
Did you know the history of Labor Day?
It’s always the first Monday in September, ad it’s dedicated to the social and economic achievements of American workers. The first state to recognize the holiday was Oregon in 1887, and it became a federal holiday in 1894. So, this year we celebrate more than 125 years of American work!
Read more about the history of Labor Day on the U.S. Department of Labor website.
Brad’s out today.
Like most weeks, I’m writing the show notes last minute. On the way into work this morning (2:30am), Brad sent me a text message informing me that he is not feeling well. We think it might be a bout of food poisoning, so he should be OK with some rest. Please keep him in your thoughts and prayers.
No Brad today, so this means I’m left to my own devices. This will be the first episode I’ve done by myself. We’ll see how this shakes out.
Let’s get on with it! These are my (Evan) notes.
SHOW NOTES – Episode 96
Date: Tuesday, September 8st, 2020
Episode 96 Topics
Context Means Everything A Lot
Wrapping Up – Shout outs
[Evan] Good morning everyone. Thanks for tuning in. The date is September 8th, 2020 and this is episode 96 of the UNSECURITY Podcast! I’m your host, Evan Francen, and my buddy is out sick today. Normally Brad Nigh joins me as co-host, but he informed me early this morning that he might have a case of some food poisoning.
Wishing Brad a fast and full recovery!
Be warned. Without Brad, I might end up rambling a bit!
[Evan] Regular listeners to our show know that Brad and I normally start off with catching up with each other. No Brad today, so I’ll bore you with some of the stuff I’ve been up to:
Great weekend camping with my wife, my daughter, my good friend Ryan Cloutier, and his wife Aimee
Bunch of meetings last week, including 11 last Tuesday; Chubb, the Cybercrime Support Network, Schneider Downs (makers of Red Lure), etc.
Lots of great work going on at both companies; FRSecure and SecurityStudio.
New service offerings at both companies.
S2Org – working on a global S2Score, integrating S2Team, S2Vendor, and new deeper-dive risk assessments.
S2Vendor – working on customized workflows, custom due dates, integration of something called the “Cowbell Factor”, vendor breach data/news, etc.
S2Me – Redesign based on user feedback, definition of four new “normal” language dialects, and the introduction of “Sam”.
The Security Shit Show last Thursday night; topic was “Negativity is Bullsh*t”.
Some other miscellaneous things…
Crazy week, but it appears as though business is really picking up and market sentiment is positive(r).
[Evan] Alright, again, no Brad to catch up with. Hoping he had a great week and weekend, minus the food poisoning thing. Now on to the topic for today’s show.
Context Means Everything A Lot
[Evan] If you know me, you know I use many sayings/themes to try to get my point across. One saying I’ve muttered many times:
One of the easiest tells for determining a good information security advice from bad is using context.
Context is critical. Think about it. You make decisions all day, from the seemingly insignificant ones to the critical ones, and everything in between. How does the lack of context effect your decision-making? Without context, the quality of your decisions will suffer.
Without context people make crappy decisions
Recent conversation with “James”:
[James] We get the importance of a risk assessment, but we’re just not focusing on that right now. We’re focusing on partnering with firms with forensics capabilities and setting up a security operations center (or “SOC”).
[Mike] Are these our most significant risks to focus on right now?
[James] We think so. We don’t have any forensics capabilities and we don’t feel like we’re able to identify events happening in our environment.
[Mike] What’s the environment look like? How many servers, how many systems, how many applications, etc.?
[James] We’ve probably got 100(ish) servers and a couple hundred applications I’d guess.
A recent conversation with “Bill”. Bill is the CEO:
[Bill] Hey Mike. We need to stop everything we’re working on and take care of this exploit I heard about from a friend.
[Mike] I’ve never heard of this exploit. Why do we need to stop everything and focus on it?
[Bill] My buddy over at XYZ company was just telling me about how his company got hit.
[Mike] OK, we’ll get right on it.
Regulators and auditors are notorious for missing context and often take us down the road of compliance management versus risk management.
Penetration testers, especially those who are newer to our industry are notorious for getting things out of context. Context is critical.
Same concept applies to the world Around Us
The information security industry is unique, but it’s not unique in the fact that human beings are the ones making decisions. Context works the same way.
Take COVID-19 for instance:
The headline reads “South Dakota dismisses ‘elite class of so-called experts,’ carries on with state fair after Sturgis rally fueled COVID-19 surge” – The words “Sturgis rally fueled COVID-19 surge” is troubling. If we made a decision based on these words it might be different than a decision with some context. The article goes on to say (buried in 6th paragraph) “Nationally, about 300 cases have been linked to the rally.” For context, there were an estimated 460,000 attendees. 300 cases out of 460,000 attendees works out to about .065%. Granted, there will likely be more, but the rally was a month ago now.
Another headline reads “New challenges in US battle against Covid-19 come with the approaching fall season” – This article goes on to say “The holiday crowds mark the unofficial end to a devastating summer across the country, with Covid-19 infections surging to more than 6.3 million and deaths topping 189,000.” The word “devastating” is not only subjective, but it lacks context. A single infection and a single death is bad, but in context it seems a little less devastating. 6.3 million people is about 1.91% of the U.S. population. More than 640,000 people die each year from heart disease and almost 600,000 die from cancer.
IMPORTANT: COVID-19 is a pandemic and it is VERY serious. I don’t mean to minimize the coronavirus in any way, but I do want to put it into context. Be courteous to others. Wear a mask and follow the CDC’s guidance. Speaking of the CDC, this is a great source for context!
Racism and police violence is another hot button issue. Judging from some of the news and reactions from some of the public, you’d certainly think this was worth burning down the “establishment”. I’m someone who wants to fix broken things, so if I’m interested in fixing broken things, I need to make good decisions in context. Here’s some context.
Spend some time reviewing the statistics and graph above. Don’t jump to any conclusions yet! There is a significant issue here, but I’d prefer to use logic versus emotion to drive my reaction.
Interesting information for sure, and I’m NOT going to draw any conclusions for you. Racism is a thing and it’s a very bad thing. Decisions about what we’re going to do about the problem will be more effective with context.
IMPORTANT: Racism is real and I’m praying for constructive solutions to end it versus destructive solutions that will probably make it worse.
Context is VERY important for decision-making and problem-solving.
Here’s another saying I use often:
Empty spaces get filled.
Without context, what do we rely on to make our decisions? Usually it’s assumptions, bias, and/or emotions. Where we lack information to make a good decisions, some of us have a tendency to make up our own information to fill the gap. You know what they say about assumptions, right? Bias is prejudice in favor of or against one thing, person, or group compared with another, usually in a way considered to be unfair, and this doesn’t sound like a good base for decision-making. Emotions are variable and always play a role in decision-making, but it can become a problem when it’s the dominant role. Emotions like fear, anger, and frustration can easily be played against you and drive you to make a decision you’ll come to regret.
So, what to do?
First, understand that information security is about risk management. Risk is the likelihood of something bad happening and the impact if it did. This requires context!
Slow down. Think about the data your consuming and ask yourself if there’s more to the story. Is the new exploit your boss read about the most critical thing you should be attending to? If someone asks you what your most significant risk is, would you have an answer? Could you defend your answer if challenged?
About the world stuff, in short:
Will COVID-19 be the end of the world? – No, it’s highly unlikely. COVID-19 is a pandemic and all pandemics come to an end.
Is COVID-19 serious? – Absolutely! People get sick and people die. It’s 100% serious and we should all do what we can to help ourselves and each other be safe.
If you’re a black man in America, are you going to die at the hands of police? – Even by the most credible research I could find, there’s a 99.9% chance that this will NOT happen. Even .1% is way too high! We need to do everything we can to drive this number much lower. In context, the problem goes beyond the police though.
Well, I hope this helped. Remember to put things into context as much as you are able.
[Evan] Let’s move on to some news topics.
[Evan] Here’s some news I thought was interesting:
Welcome back! Episode 81 is sure to be a good one, but before I get started, just a few thoughts…
We just went through our first Memorial Day weekend under COVID-19. I don’t know what to say about it, other than the world seems as crazy, or crazier, than ever. Seems like 1/2 the country is out and about like everything’s normal while the other 1/2 of the country stays cooped up as though the apocalypse were upon us. To complicate matters, both halves seem to look upon each other with disdain.
We’re learning more and more each day about this coronavirus we call COVID-19. One thing appears certain, we’ve had crappy data to work with since day one. Crappy data leads to crappy decisions and crappy decisions lead to crappy outcomes. I’ll just leave it at that.
This is one of my favorite holidays. I wonder how many of us know what it stands for or what it means. I wonder because I was wished a Happy Memorial Day numerous times yesterday, yet there’s nothing “happy” about it. The day is set aside to remember and honor our nation’s war dead from the Civil War onwards. It’s a day to stop what you’re doing, spend (at least) a few moments remembering the sacrifices that were made by our soldiers, and be grateful.
I suppose there are happy parts too, but these are mostly the product of what somebody else gave for you and me.
Not sure if I’m in a pissier mood today or what. No matter, I’ll snap out of it soon. Let’s get to Brad’s show notes!
SHOW NOTES – Episode 81
Date: Tuesday, May 26th, 2020
Episode 81 Topics
Catching Up (as per usual)
Wrapping Up – Shout outs
[Brad] Welcome back! This is episode 81 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is May 26th, and joining me this morning as usual is Evan Francen.
[Evan] Has some sort of story for us I’m sure
[Brad] We’ve got a good show planned today! Before we get going though, let’s recap our week.
Quick discussion about last week, Memorial Day, last weekend, COVID-19, life, and other stuff.
[Evan] Evan talks about the cool things he did.
[Brad] I talk about the cool things I did.
[Brad] So interestingly, at least to me, this is the first time I struggled with what to cover in our podcast. Maybe the monotony of quarantine, the tidal wave of news around breaches and new attack vectors, or just plain old writer’s block but even sitting down to write this I don’t know where it ended up.
Because I was stuck I decided to start with news, there have been several really interesting things that have come out lately and that’s when I found this article from CSO Online 6 hard truths security pros must learn to live with and, yeah we can talk about this.
The Hard Truths
Discussion about the hard truths outlined in the CSO Online article:
Hackers are probably inside your network right now
You can do everything right and a careless end user can ruin everything
You face critical staffing and skills shortages
IoT creates new and unforeseen security problems
You sometimes feel misunderstood and underappreciated
Stress, anxiety and burnout come with the territory
[Brad] Good conversation, thank you Evan.
Let’s do some news…
[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye
Developing and delivering simple (but effective and credible) tools to help the under-served do information security better.
Teaching and mentoring others for free. The FRSecure CISSP Mentor Program is in it’s 11th year! We started with six students in 2010, last year we had 532, and this year we had more than 540 enrollments within the first 24 hours! Check it out and enroll here.
What can you do to help? Simple. You can help in (at least) three ways:
Contribute your opinions and feedback (after all, we’re all in this together).
Spread the word. Tell others. Tell them about the S2Org and S2Me assessments and tell them about the FREE FRSecure CISSP Mentor Program!
OK, on to the show…
February is already upon us, and RSA is just around the corner. Speaking of RSA, let’s talk about our industry’s money grab in this week’s episode. Let’s also discuss tips for talking to the board of directors about information security stuff .
This will be fun!
Alright, on to the show notes. This is my (Evan) show to lead and these (below) are my notes.
SHOW NOTES – Episode 65
Date: Monday, February 2nd, 2020
Our topics this week:
The Money Grab
It’s alive and well – everybody wants your $$$.
The Bad Guys Of Course
The “Good Guys” Too?
Talking to the Board
[Evan] Alright, welcome! This is Evan Francen, this is episode 65 of the UNSECURITY Podcast, and the date is February 3rd, 2020. In studio with me is none other than Mr. Brad Nigh. Howdy Brad.
[Brad] We’ll see how awake he is on an early Monday morning.
[Evan] I’m curious, are you a morning person or a night person?
[Brad] I don’t know what he’ll say here…
[Evan] We’ve got a great show planned for you today. Lots to talk about, for sure! We’re going to talk about this industry’s money grab and we’ll cover some tips for speaking to the board of directors. Before we dig in, Brad, how you doing?
Quick Catch-up Talk
[Evan] Alright. Well, let’s get to it. Let’s talk about the money grab in this industry. In case you didn’t know, I’m referring to the information security industry. You have the something that everybody wants. The bad guys, the good guys, and everyone in between. They all want your money. Collectively, I call this the “money grab” and we’re going to discuss this. I want to discuss this because I don’t want you losing your hard earned money to some crook and I don’t want you to piss it away on something that doesn’t do what you thought.
Discussion about the Money Grab
The money grab is alive and well. Everybody wants your $$$. Everybody.
The Bad Guys Of Course
The 2018 cybercrime industry was worth at least $1.5 trillion
Gartner estimated that 2019 industry spending was $124 billion in 2019, and by some estimated it’s expected to grow to more than $170 billion by 2022. NOTE: this is for context only and not to imply that this is wasted spending.
FUD (scare the sh*t out of you) and Sex Sell (buzzwords, new blinky lights, etc.)
[Evan] It’s a dangerous world and people (non-information security people are confused). I wonder how much of this is on purpose. The enterprise organizations can afford to make mistakes, but the smaller players are left in the cold and they’re suffering because they often miss the basics, the fundamentals. I feel bad for the under-served markets, especially SMBs. This is our primary focus. OK, on that note…
Discussion about talking boards of directors and executive management
[Evan] Brad, you and I have had the privilege on many occasions to talk to boards and executives. What tips do we have?
Some good back and forth discussion I’m sure…
After a while, let’s do some news.
[Evan] I’ve only got two stories to discuss today, but I think they’re interesting ones:
[Evan] OK, that’s it. Episode 65 is in the bag. Brad, you’ve got any ideas for next week’s show yet?
[Brad] Maybe he does, maybe he doesn’t…
[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at firstname.lastname@example.org. If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen and Brad’s @BradNigh. If you like company stuff, we work for SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). The company people post good things from time to time too!
Here we are, already into the 4th week of January and this is the last show for the month.
Quick recap of last week because it was awesome!
On Saturday (1/18), we held our holiday party at Punch Bowl Social. FRSecure and SecurityStudio employees flocked in from all over the country (Nevada, Kentucky, Missouri, Florida, etc.) to celebrate together. We sort of took over the joint with 120+ people eating, drinking, singing karaoke, bowling, playing pool, and hanging out.
One of our core values is “work hard/play hard”, and Lord knows we are experts at both these things! The teams did incredible things in 2019 and every single person played a critical part in our success. It was so awesome to spend time with each other, celebrating (a great 2019) and looking forward to an even better year ahead (2020)! It was a great night!
We gathered everyone together on Monday (1/20) morning for our quarter end/year end meeting. There are no words to describe what these people did in 2019. There isn’t an adequate adjective. By every account, 2019 was a huge success. Not only in terms of dollars and cents, but more importantly in the impact we made on our industry and in people’s lives.
Just a few highlights:
FRSecure has helped more than 1,000 organizations build and maintain better information security programs.
The CISSP Mentor Program helped 532 people learn better information security, secure better career options, and/or successfully pass their CISSP exam. UPDATE: We exceeded the entire 2019 enrollment within 24 hours of opening this year’s registration!
We gave more than 100 talks at conferences all over the United States.
SecurityStudio made great strides in helping organizations and people speak the same (information security language), including the release of the S2Me.
The companies grew at more than 40% again (top line), for the 10th consecutive year.
I could write an entire book about what was accomplished in 2019, and I’m speechless when I think about what we’ll do together this year (2020)!
The Minnetonka HQ office was full and buzzing on Monday! The rest of the week was filled with meetings, conversations, and security stuff. All icing on the cake.
Alright, on to the show notes. This is Brad’s show to lead and these (below) are his notes.
SHOW NOTES – Episode 64
Date: Monday, January 27th, 2020
Our topics this week:
FRSecure Year End
SecurityStudio Year End
3rd-Party/Vendor Risk Management
Let’s get literal.
A deep dive.
Seven “must haves”.
A warning (or two)
Tips for talking to boards
I’m going to RSA this year and I already regret it
[Brad] Welcome back! This is episode 64 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is January 27th, and joining me is my co-host, Evan Francen. Good morning Evan.
[Evan] Something energetic and uplifting I’m sure.
[Brad] We’ve got another great show planned for you this week, and we’ve already got some good topics to talk about next week. This week we’re going to cover a deep dive into 3rd-party (or vendor) risk management. Next week we’re going to cover tips for talking to boards and have a conversation about the RSA money grab. Don’t miss it! I’m guessing it could get controversial.
Before we get started, let’s recap last week quick.
[Brad] I wanted to take some time today talking about Vendor Risk Management and the difference between an audit based certification (SOC2, ISO, HITRUST) vs a risk assessment (S2Org or similar).
[Evan] Yeah man! Let’s do it!
3rd-Party/Vendor Risk Management
[Brad] You added stuff to my show notes! What gives man?
[Evan] Yeah, I couldn’t help myself. Hope you’re OK with it.
[Brad] What’s with “let’s get literal”?
[Brad] Let’s talk about the differences between audit based certification (SOC2, ISO, HITRUST, etc.) versus a risk assessment (S2Org or similar).
The fundamental differences
The positives and negatives to both approaches
At the end of the day, what should an organization be trying to accomplish with their Vendor Risk Management program
What should the vendor share/not share, how do they handle requests for more than they are comfortable sharing
Be sure to mention the new article (not yet posted), “Seven must-haves for effective third-party information security risk management”. You can get the free preview download by emailing us.
[Brad] Hopefully that was helpful to people working on both sides of Vendor Risk Management. Let’s do some news.
Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:
[Brad] That’s it. Episode 64 is a wrap. Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at email@example.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan is @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies!
That’s it. Talk to you all again next week!
https://i0.wp.com/evanfrancen.com/wp-content/uploads/2020/01/3rd-party-handshake.jpg?fit=300%2C300&ssl=1300300Evan Francenhttps://evanfrancen.com/wp-content/uploads/2022/09/259CD09D-F0B8-4FFC-A050-C84AD4D31150.pngEvan Francen2020-01-27 06:46:252021-04-23 07:24:07The UNSECURITY Podcast – Episode 64 Show Notes – 3rd Party Risk